After About 5 Days I get this: openvpn[5531]: RESOLVE: Cannot resolve host addre

archedraft

screenshots

![Firewall NAT Outbound 2.JPG](/public/imported_attachments/1/Firewall NAT Outbound 2.JPG)
![Firewall NAT Outbound 2.JPG_thumb](/public/imported_attachments/1/Firewall NAT Outbound 2.JPG_thumb)
![Firewall Rules Floating 1.JPG](/public/imported_attachments/1/Firewall Rules Floating 1.JPG)
![Firewall Rules Floating 1.JPG_thumb](/public/imported_attachments/1/Firewall Rules Floating 1.JPG_thumb)

archedraft

Screenshots

![Firewall Rules Floating 2.JPG](/public/imported_attachments/1/Firewall Rules Floating 2.JPG)
![Firewall Rules Floating 2.JPG_thumb](/public/imported_attachments/1/Firewall Rules Floating 2.JPG_thumb)

m3ki

Hah now the topic went from cannot resolve address to…..... how to make policy based routing with multiple vpn clients.......

archedraft

Yeah, I was going to rename the first post but I guess it doesn't let you modify the first post… Ill start a new thread as well lol. Thanks again m3ki!

m3ki

Any time :)

Next steps to think about…... you can also forward certain ports, protocols, domains...... to go to vpn........ etc.... moar fun!

archedraft

is it be possible to setup a rule that let certain websites go through the USA vpn even if I am using the machine on the EU vpns????? :D

m3ki

Lol yes I think so, remember rules go top down.
So if rule us caught before bottom one that one is executed.

ie.
1. If source…. EU, DESTINATION = google.com then US
2. if source EU, DESTINATION * then EU

so #1 will be executed. you can also use ! in front of ip etc..... which will mean if not this then that..

The only issue is i think domain names wont work... and you may have to use ip address instead.

archedraft

oh this is exciting!

m3ki

Haaahhahahaha I have created a monster!

archedraft

The problem is still there even after making all the changes. The annoying thing is that when the US VPN is in this reconnecting process, it kills all other internet connection even the EU VPN and normal WAN, however; if all the VPN's are up and running normally and then I disable the USA VPN, the EU VPN and normal WAN work just fine… My entire VPN client setup (with pictures) is shown on page 3. Does anyone have any ideas?

Nov 2 06:39:26	openvpn[97331]: SIGUSR1[soft,init_instance] received, process restarting
Nov 2 06:39:26	openvpn[97331]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Nov 2 06:39:26	openvpn[97331]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known
Nov 2 06:39:26	openvpn[97331]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 2 06:39:26	openvpn[97331]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 2 06:39:24	openvpn[97331]: SIGUSR1[soft,init_instance] received, process restarting
Nov 2 06:39:24	openvpn[97331]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Nov 2 06:39:24	openvpn[97331]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known
Nov 2 06:39:24	openvpn[97331]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 2 06:39:24	openvpn[97331]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 2 06:39:22	openvpn[97331]: SIGUSR1[soft,init_instance] received, process restarting
Nov 2 06:39:22	openvpn[97331]: RESOLVE: Cannot resolve host address: us-west.privateinternetaccess.com: hostname nor servname provided, or not known

Capture.JPG_thumb

m3ki

What if EU goes down does it bring down us one?

archedraft

If I disable the EU VPN the US VPN works.

archedraft

Is the only difference between our VPN client config, you use strongvpn and you use number IP addresses instead of the letter ip address?

archedraft

I figured out the Cannot resolve host address problem:

PIA only supplies domain names and not ip address. The domain names will work initially but after about a week it seems PIA requires you to renew your lease? At that point pfSense is unable to reconnect to the VPN. If you change all the domain names to ip address then everything works just fine. I am sure if you are part of this forum you can figure out how to find the PIA ip addresses but if you cannot figure it out contact PIA and they will tell you how.

Finger79

Necrobumping this thread because I've been getting this error since becoming a PIA customer. My workaround was to use a server's IP address in the OpenVPN Client config, but since IPs change, I'd much prefer to use the FQDN and have DNS figure it out.

Thing is, since all DNS queries are sent out through the OpenVPN tunnel to PIA's resolvers, if the tunnel goes down, I'll get this error in the logs:

@OpenVPN:

RESOLVE: Cannot resolve host address: [location].privateinternetaccess.com: hostname nor servname provided, or not known

…and then I will have to manually log into the WebUI and restart the OpenVPN service.

Is there a cleaner solution to this instead of the workaround of hard-coding a PIA IP Address?

(Note: Each PIA gateway, say us-west.privateinternetaccess.com, resolves to maybe a dozen IP addresses, and they come and go, so sometimes the A record for an IP address will disappear after a week and become invalid.)

Edited to Add: I'm using the legacy DNS Forwarder (dnsmasq). Would this problem go away if I switched to using the DNS Resolver (unbound)? I thought both of them cached DNS, so it's strange that I'm getting the "Cannot resolve host address" error in the first place. pfSense shouldn't need to resolve anything but look in the localhost cache.

Edit 2: I have two manual outbound NAT Rules created for PIA:
1. localhost to PIA: 127.0.0.0/8 to PIA address
2. LAN to PIA: [LAN subnet /24 ] to PIA address

Finger79

There's a lot of commercial VPN users in this forum. Surely not everyone is hard-coding an IP address. What is everyone here doing to get around this issue?

I spent a ton of hours experimenting today. I migrated from dnsmasq to unbound, but same results. I disabled the first NAT rule "localhost to PIA" but same results.

The next thing I'd like to try is to remove the persist-tun directive, but it's hard-coded. No matter what I do, it's there.

From the manual:

@OpenVPN:

–persist-tun
Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts.

SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options.

I'm thinking whenever I get a SIGUSR1 reset, I do want to close and reopen the TUN device, which would trigger a new name resolution query.